Fix incomplete sanitization - properly escape backslashes in URL escaping

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
2025-12-23 15:50:07 +08:00 · 2025-12-22 14:50:31 +00:00 · 2025-12-22 14:50:31 +00:00 · 6f7a54a614
commit 6f7a54a614
parent 6397415d7f
1 changed files with 16 additions and 10 deletions
--- a/back/services/system.ts
+++ b/back/services/system.ts
@ -255,9 +255,15 @@ export default class SystemService {
        }
        
        if (defaultDomain && targetDomain) {
-          // Escape special characters for sed
-          const escapedDefault = defaultDomain.replace(/\//g, '\\/').replace(/\./g, '\\.');
-          const escapedTarget = targetDomain.replace(/\//g, '\\/');
+          // Sanitize and escape special characters for sed
+          // Escape backslashes first, then other special characters
+          const escapedDefault = defaultDomain
+            .replace(/\\/g, '\\\\')  // Escape backslashes first
+            .replace(/\//g, '\\/')   // Escape forward slashes
+            .replace(/\./g, '\\.');  // Escape dots
+          const escapedTarget = targetDomain
+            .replace(/\\/g, '\\\\')  // Escape backslashes first
+            .replace(/\//g, '\\/');  // Escape forward slashes
          
          // Replace mirror URL in main sources.list
          command = `sed -i 's/${escapedDefault}/${escapedTarget}/g' /etc/apt/sources.list`;
@ -297,13 +303,13 @@ export default class SystemService {
        if (info.linuxMirror) {
          targetDomain = info.linuxMirror;
        }
-        command = `sed -i 's/${defaultDomain.replace(
-          /\//g,
-          '\\/',
-        )}/${targetDomain.replace(
-          /\//g,
-          '\\/',
-        )}/g' /etc/apk/repositories && apk update -f`;
+        // Sanitize and escape special characters for sed
+        // Escape backslashes first, then other special characters
+        command = `sed -i 's/${defaultDomain
+          .replace(/\\/g, '\\\\')  // Escape backslashes first
+          .replace(/\//g, '\\/')}/${targetDomain
+          .replace(/\\/g, '\\\\')  // Escape backslashes first
+          .replace(/\//g, '\\/')}/g' /etc/apk/repositories && apk update -f`;
      } catch (error) {
        this.logger.error('Failed to read /etc/apk/repositories', error);
      }